8 InterMEDIA | April 2020 Vol 48 Issue 1 www.iicom.org

The practice of surveillance began with the covert interception of mail, with telegram and telephone interception being added centuries later. These activities were undertaken by the police and secret

police, later intelligence services, together with the post office, often without an explicit legal framework or checks and balances, but constrained by limited resources.

Over time these practices had to be reconciled with the growing recognition of privacy as a human right under national constitutions and international treaties, with the European Union creating a right to data protection. Liberalisation of telecommunications markets demanded the clarification of authorisation for wiretapping, and the payment of costs and legal liabilities through legislation and licensing.

The scope of surveillance was expanded with the profusion of new services, enabled by advances in technology, the increasing use of over the top applications, often without providers having a legal or physical presence in the particular jurisdiction.

Perceptions of the threats, especially of the rise of terrorism, changed views of the scale and scope of the data and metadata that should be collected, often under pressure for immediate action and fear of criticism for the failure to have intercepted or passed information between agencies.

The result has been varied national regimes, offering different levels of protection for individuals, with governments using tools purchased, sometimes covertly, from a complex surveillance industry ecosystem.

Surveillance has moved into the internet of things, with the plethora of internet-enabled devices, some wearable, and the complications of often unencrypted transmission of data to service providers. Increasingly, citizens and consumers transmit and share their data in the name of security and health, or for convenience, lifestyle and entertainment.

For example, local police forces in the United States have partnered with home security company Ring to offer free or discounted smart camera systems to local residents. In addition to features such as video-enabled doorbell ringing on homeowner smartphones, Ring facilitates police access to images taken from doorbell cameras.1 There are concerns these can be intercepted directly or images obtained from the service provider without a court order or the consent of the customer.

At the time of writing, governments of all persuasions are moving to utilise surveillance technologies to address the profound health and economic challenges wrought by the COVID-19 pandemic.

SURVEILLING THE SURVEILLERS Although the public was rarely told directly about surveillance techniques or the scale of their use, some information found its way into newspaper reports of trials and into crime and spy fiction and, later, the cinema. Nowadays, universal and regional treaties exist to protect human rights, including privacy, in countries with significant observance of the rule of law. But surveillance technologies are also embedded in network equipment as “lawful interception” and available to countries with little, if any, regard for human rights.

While there are formalised mechanisms in some jurisdictions, such as complaints bodies, and annual reporting, the level of privacy protection is inconsistent overall and transparency and oversight around surveillance remains patchy, with governments often closely guarding and actively concealing information.

Countries treat matters of national security very differently, with too many parliaments entirely excluded from such topics and power reserved to the head of state and security agencies. While parliaments should be overseeing police and intelligence services and scrutinising budgets and practices, the use of technologies such as international mobile subscriber identity-catchers (IMSI-catchers) and surveillance malware have almost never been discussed. Whereas the collection of metadata has been debated in some parliaments, being an obligation imposed on commercial operators.

Reports on the use of interception and surveillance are presented to a small number of more powerful parliaments, but the vast majority of countries do not publish policies, list equipment available to their police and intelligence services or indicate the scale of their surveillance activities. The United Nations frequently reports violations of human rights, but is unable to enforce them. There is commendable work by groups such as the Citizen Lab and Privacy International, but these are too few in number for the task they face.

Surveillance creep has made the leap front and centre as the world responds to COVID-19. EWAN SUTHERLAND charts the shifts in technology, practice and norms

S U R V E I L L A N C E

TRACKING SURVEILLANCE

www.iicom.org April 2020 Vol 48 Issue 1 | InterMEDIA 9

I I C E V E N T S

The growth of corporate social responsibility has seen some multinational corporations adopt policies and report on the surveillance activities they conduct in response to judicial and police orders. As Vodafone noted, it was forbidden by the governments of Egypt and South Africa to disclose anything more than the legal provisions, despite concerns about both regimes.2 While the MTN Group has published its human rights strategy, it manages to reconcile this with the surveillance and wiretapping obligations of the repressive governments of Iran, Syria and Yemen, apparently to the satisfaction of its investors.3

LITIGATION AND LOCATIONLitigation has been a source of insight into the workings of lawful intercept regimes, which often have a cross-border dimension, and has shaped approaches to surveillance.

United States. The Electronic Frontier Foundation (EFF) sued the US National Security Agency, challenging its right to operate the Orwellian sounding “Room 641A”, an interception facility at AT&T. The case was dismissed by the Court of Appeals, because of retroactive immunity granted by the US Congress,4 which the US Supreme Court consequently declined to hear.5 A further case by the EFF was dismissed by the District Court, then reinstated by the Court of Appeals, but has yet to reach judgement.6

United Kingdom. Public interest litigation is underway in the United Kingdom, following freedom of information requests, to determine how many IMSI-catchers have been purchased by the police and what the policy is for their use, since there had been no public disclosure.7

Africa. There have been occasional cases about human rights, but there is no right to privacy in the African Union treaty. In Malawi, attempts to

block the use of the Consolidated ICT Regulatory Management System were rejected on appeal, despite lower courts accepting arguments that the collection of call data records violated the right to privacy.8 A case that the mandatory registration of SIM cards in South Africa violated the right to privacy was launched a decade ago, but has yet to conclude.9

Cross-border. The issue of court-ordered access to servers came to prominence with BlackBerry, which encrypted its BlackBerry Messenger service on servers in Canada. Governments in, for example, India and the United Arab Emirates worked to persuade BlackBerry to place servers in their jurisdictions so that they might have access to the contents.10 A different approach has been taken in Russia where, following the “colour” revolutions and the Arab Spring, systematic monitoring that had been reduced in post-Soviet times was reinstated with expanded capacity, notably of social networks.11 The Putin administration has attempted to force social network providers to locate servers in Russia and to store user data for one year, in order to bring them within its control, reinforced by blocking non-compliant services at the international gateway.12

A SURVEILLANCE ECOSYSTEM Governments have imposed obligations on operators and service providers to collect and store data and metadata about their customers. Standards have evolved under the term “lawful interception” used in what is now a complex global market for hardware and software, that includes well-known and specialist firms, including some venture capital funded start-ups.13 Police and intelligence services purchase equipment to undertake surveillance, at best with limited reporting to parliaments and the public. Access to surveillance, encryption and decryption tools is no longer the exclusive

10 InterMEDIA | April 2020 Vol 48 Issue 1 www.iicom.org

domain of governments and security or law enforcement agencies.

Supposedly, the export of surveillance technologies from Western countries is controlled by the Wassenaar Arrangement, to ensure they are not available to autocratic or authoritarian governments. However, some exports appear to avoid the controls and some vendors are in countries that are not signatories. It seems likely that just as demand is met for encryption technologies, demand will also be met for interception and decryption technologies, regardless of concerns for human rights. Indeed, some countries may see the supply of surveillance technologies to authoritarian regimes as politically beneficial.

IMSI-catchers. One device that has received little publicity is the IMSI-catcher or “stingray”, the latter being a brand name assigned by the Harris Corporation. These devices are designed to perform some of the functions of a mobile telephone base station, interrogating mobile phones over short distances to obtain their international mobile subscriber identity (IMSI) and international mobile equipment identity (IMEI), the serial numbers of the SIM card and handset respectively.

An IMSI-catcher at an airport could monitor arriving customers, capturing IMEI numbers before customers switch to local SIM cards, and potentially link them to passenger and passport records. Similarly, at a protest or political demonstration, IMSI-catchers might capture details of those marching past an office or van. IMSI-catchers have also been used in drones and

light aircraft to scan wider areas.A number of firms supply IMSI-catchers,

purportedly only to law enforcement authorities, but devices are available for sale on Alibaba,14 while GitHub has instructions for a do-it-yourself device. Last year, Bangladesh tendered for a backpack IMSI-catcher for its notorious Rapid Action Battalion15, building on prior equipment and training procurements by the same unit.

In many African countries there are requirements that SIM cards be registered in a database, which when linked to an IMSI-catcher would generate names and addresses, even biometric data. However, there are many problems with inaccuracies in such databases, potentially leading to serious difficulties for wrongly identified individuals. Unusually, one IMSI-catcher turned up in the South African parliament where it had been used to jam mobile phone signals, purportedly to stop the detonation of any bombs. In the absence of permission from the parliament, this was held to be unlawful.16

Backdoors. One of the more controversial demands of government has been for “backdoors” in devices and services. There was a long debate in the United States about this for the Clipper chip in the early 1990s. With the growth of relatively secure mobile apps, the Five Eyes alliance of interception agencies has again called for backdoors so they can more easily decipher communications.17

Given widespread uptake of encrypted communications, venture capital-based firms have emerged that offer to intercept and decipher

Thermal temperature measuring drone used as part of COVID-19 interventions in Istanbul

S U R V E I L L A N C E

www.iicom.org April 2020 Vol 48 Issue 1 | InterMEDIA 11

Personal tracking app with QR code showing whether a person is infected with COVID-19

communications, or get around encryption. A number have appeared in Israel, notably the NSO Group, owned by London-based private equity fund Novalpina Capital, which has controversially denied supplying surveillance technologies to authoritarian governments that use them to spy on human rights campaigners and journalists.

In the US, as part of a high-profile stand-off between the Federal Bureau of Investigation (FBI) and Apple in 2015-16 over access to an iPhone during a criminal investigation, the FBI successfully turned to a third party to build a tool to break into the iPhone and retrieve files from it.

In Uganda the intelligence service deployed surveillance malware from fake Wi-Fi hotspots.18 This enables it to bypass any encryption by seizing control of the smartphone or tablet computer, capturing keystrokes and copying files.

THE PANDEMIC PANOPTICON At an early stage the distinction was drawn between “Before COVID-19 (BC)” and “After COVID-19 (AC)” in the expectation of significant cultural, economic, political and social changes. Dr Anthony Fauci, the leading US epidemiologist, forecast the permanent demise of handshaking. Such changes are not unexpected, with 9/11 having brought increasingly sophisticated detectors to airports and AIDS having changed sexual practices. Inevitably, there has been fraud, price gouging and quackery by opportunists exploiting human weaknesses.

The explosive growth of Zoom by people suddenly switching away from in-person meetings revealed that security had not been included in its basic design, causing many prohibitions of its use and a scramble by the company behind the service to catch up.

To flatten the peaks of those being infected, ventilated and dying, governments and medical authorities turned to a traditional practice of tracking and tracing those who had had contact with persons infected with the SARS-Coronavirus-2 that causes the COVID-19 disease.

Outbreaks of SARS in 2003, MERS in 2015, and novel influenzas had mostly been confined to East Asia, where governments had transformed these processes by adopting digital methods. For example, South Korea had both legal and technical frameworks for testing and tracking, which were deployed rapidly in its successful suppression of COVID-19. China has its routine mass-surveillance system including CCTV cameras with facial recognition and was able to insist on the downloading of software for smartphones that gave individuals colour-coded quick response (QR) codes to signal whether they could pass freely or must remain quarantined.

The unusually fast spread of the coronavirus means that manual tracing would have been overwhelmed, requiring the speed and efficiency

of a contact-tracing mobile app that has a memory of proximity contacts over recent days that can be notified if and when a contact is found to be positive.19 Thus digital controls are available for epidemics, provided they are used by enough people, allowing for those without a smartphone.

With governments adopting lockdown policies they sought data about the movement of people through the proxy of the location of their mobile phones, already widely used by many apps (e.g. Fitbit, Google Maps and Instagram) and more narrowly by law enforcement. In some countries mobile operators provided heat maps to show movements of their customers, arguing that the data were sufficiently aggregated to prevent the identification of individuals and thus complied with data protection legislation. In some countries the police used drones with cameras and even facial recognition and automatic number plate recognition to identify citizens who might be violating lockdown rules.

An economic argument is made that as lockdowns are being lifted an app might signal a clean bill of health for some short period of time, thus aiding our increasingly service-based economies, so much of which is delivered in person (e.g. coffee shops, gyms and restaurants). Wearing masks and gloves, washing hands and socially distancing, and wiping down surfaces could be supplemented by controlling those entering a bus or a building by requiring a clean app and a temperature check.

In China, some home delivery services provide the body temperatures of the cook and of the person delivering the food in efforts to reassure customers. A number of governments are developing their own apps, some more rapidly than others, in parallel with the expansion of testing. The app released in Moscow was said to be able to access data stored on the smartphone, including calls made and received, location data, stored files, network information and other data, all to ensure an individual does not leave home while contagious. A QR code was to be issued to prove the individual was permitted to go shopping or do some other activity and could be demanded by the police.

In an extraordinary move, Apple and Google offered to make concerted modifications to their operating systems to enable smartphones to identify other phones that had been within Bluetooth range, potentially creating for users of almost every smartphone a list of the other phones whose owners had been close enough to transmit or to receive the coronavirus. While

S U R V E I L L A N C E

12 InterMEDIA | April 2020 Vol 48 Issue 1 www.iicom.org

to cope with such volumes and individuals may escape surveillance by being lost in the crowd. Given ubiquitous CCTV cameras with facial recognition, IMSI-catchers, social media and services like Clearview AI, it is becoming increasingly difficult to be lost in the crowd.

Since it is possible to track down and arrest individuals from their faces, gaits, and mobile telephones, increasingly individuals may be discouraged or afraid to dissent or protest against governments. Would the Christopher Street riot at the Stonewall Inn of just over half a century ago have happened today? Anti-government protestors in Hong Kong last year employed a range of measures to hide their identities, from wearing face coverings and holding umbrellas, to destroying “smart” lamp posts, and arrests of pre-democracy campaigners are still occurring months later.

The significant health and economic impacts of COVID-19 mean that surveillance-based tracking and tracing tools are being taken up worldwide. There is a need for enhanced parliamentary oversight to ensure policies and practices comply with human rights from the outset. Given the rapid advances in surveillance and interception technology, much greater attention to transparency and reporting is required if governments are to be held to account. The courts will also be called upon to test practice against human rights.

Warhol claimed that in the future we would be famous for fifteen minutes, now we might wish for fifteen minutes of anonymity.

they promise this will be secure, it offers a potential mechanism for governments to use for repressive purposes, with obvious concern that the supposed controls over the anonymity of the owners of phones might prove illusory. It offers yet another route for attacks using a variant of the IMSI-catcher.

The European Data Protection Supervisor has called for a pan-European model, applying data protection by design principles, for the COVID-19 mobile app, with an initiative already begun called the Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT) to allow people to receive or to trigger an alert when moving between countries.20 Additionally, where the data are held in a central data base there is a significant risk of hacking leading to data breaches.

The pursuit of the pandemic panopticon began in China and in South Korea, presenting significant challenges to privacy. Its wider adoption risks offering tacit support for authoritarian governments that might extend such measures and technologies long after the risk of infection has been eliminated by a vaccine.

One way to consider the correct response would be whether the use of such apps would be thought appropriate in a virus that spread less easily or in more limited ways, such as HIV.

A central concern where privacy is involved, is whether the supposed anonymity of the data is effective or whether it can be de-anonymised, whether by criminals or by corporations. Linking such data to medical records raises obvious and very serious concerns, especially when names such as NSO Group and Palantir (surveillance technology providers) are mentioned.

CONCLUSION Citizens living under authoritarian regimes have learned to be circumspect in their communications, whether conversations in cafés or use of the Internet, knowing that efforts are made to intercept and to report them. Meanwhile citizens of more democractic countries may be relaxed about sharing data, even when it is used to customise adverts for individuals in particular locations and states of mind, nudging them to spend and boost corporate profits. Much more dangerously, this marketing model is used to manipulate political actions, which can be combined with surveillance to control or repress dissent or protest.

A major constraint on surveillance in most countries is the lack of technical skills, with advanced economies taking action to boost their supplies of data scientists. Even a single smartphone may yield many Gigabytes of data that require processing, while some undersea cables carry tens of Terabits per second. It is little consolation that few governments are able

EWAN SUTHERLAND is an independent telecommunications policy analyst, a research associate at the LINK Centre, University of the Witwatersrand, Johannesburg, South Africa and a trustee of the International Institute of Communications (IIC).

REFERENCES 1 Fund J (2019). How much do we trust Alexa, Siri, Nest, and Ring - and their makers? National Review. 14 July. bit. ly/2TrBdbp 2 Vodafone Group (2014). Law enforcement disclosure report. bit.ly/2VD9Pqs 3 MTN (2019). MTN position on online freedom of expression, privacy and security (digital human rights). bit.ly/36YyDgV 4 Foreign Intelligence Surveillance Act of 1978 Amendments Act of 2008. bit.ly/2QVUss6 5 Hepting v AT&T, 11-1200 (Supreme Court of the United States October 9, 2012). 6 Jewel v NSA, 4:08-cv-04373-JSW (Northern District of California May 19, 2017). 7 Privacy International (2018). Privacy International v Information Commissioner’s Office (IMSI Catcher FOIA). bit.ly/30uM4mG 8 Malawi Communications Regulatory Authority v Hophmally Makande and Eric Sabwera, 2013. 9 amaBhungane (2017). Advocacy: AmaB challenges snooping law. The amaBhungane Centre for Investigative Journalism. 20 April. bit.ly/2ToGxwm 10 Brady S (2012). Keeping secrets: A constitutional examination of encryption regulation in the United States and India. Indiana International & Comparative Law Review 22(2): 317-346. bit.ly/34LQgAk; Abraham S & Hickok E (2012). Government access to private-sector data in India. International Data Privacy Law 2(4): 302-315. bit.ly/2z5eJF1 11 Soldatov A (2015). The taming of the internet. Russian Politics & Law 53(5-6): 63-83. bit.ly/2xJ0TYB. On 12 November 2012 the Russian Supreme Court upheld the right of the authorities to wiretap opposition politicians. 12 Solon O (2015). Russia’s fist just clenched around the internet a little tighter. 31 August. bloom.bg/2TqkpSh 13 For example, European Union (1996). Council Resolution of 17 January 1995 on the lawful interception of telecommunications. Official Journal 39(C 329): 1-4. bit.ly/34RHG35 and European Telecommunications Standards Institute (2019). Technical Committee Lawful Interception. bit.ly/2uLJOLN and 3GPP (2019). 3G security: Lawful interception architecture and functions. 3rd generation partnership project. bit.ly/2NuREA8 and the United States equivalent is section 103 of the Communications Assistance for Law Enforcement Act (CALEA) of 1994 (47 USC 1001-1010), which resulted in standards and Telephone Industry Association (TIA) specification J-STD-025 and Packet Cable Electronic Surveillance Specification (PKT-SP-ESP-101-991229). Russia has its own standard, the System of Operational-Investigatory Measures (SORM). 14 Alibaba. (2019). IMSI catcher gateway. bit.ly/35Ri5X2 15 CPTU (2019). RAB Forces HQ/CPS/2018-2019/4112316/190. 11 February. Government of the People’s Republic of Bangladesh. bit.ly/2TsnTUn 16 Primedia Broadcasting and others v Speaker of the National Assembly and others, 2016 17 Barnes T (2019). Tory home secretary says government should be allowed to read people’s WhatsApp messages. Independent. 30 July. bit.ly/3arqh2F 18 Privacy International (2015). For God and my President: State surveillance in Uganda. bit.ly/2RSJy6C 19 Ferretti L et al. (2020) Quantifying SARS-CoV-2 transmission suggests epidemic control with digital contact tracing. Science. 31 March. bit.ly/3cylBJM 20 PEPP-PT (2020). Pan-European privacy-preserving proximity tracing. bit.ly/2zb5KCh

S U R V E I L L A N C E